Possibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 9 months agoXZ backdoor in a nutshelllemmy.zipimagemessage-square136fedilinkarrow-up1591arrow-down15
arrow-up1586arrow-down1imageXZ backdoor in a nutshelllemmy.zipPossibly linux@lemmy.zip to Linux@lemmy.mlEnglish · 9 months agomessage-square136fedilink
minus-squareAmju Wolf@pawb.sociallinkfedilinkEnglisharrow-up5·9 months agoPackages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one. What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
minus-squareslazer2au@lemmy.worldlinkfedilinkEnglisharrow-up1·9 months agoWhat if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.
Packages or dependencies with only one maintainer that are this popular have always been an issue, and not just a security one.
What happens when that person can’t afford to or doesn’t want to run the project anymore? What if they become malicious? What if they sell out? Etc.
https://xkcd.com/2347
What if the repository becomes stupid and takes a package away from a developer and said developer deletes his other packages. See leftpad.